Is anyone monitoring for the start and end of SCEP scans? I’m trying to convince our Windows Engineering team and Security that the Full Weekly Scans aren’t effective on large disks, but I need to be able to show how long they are taking. We’ve observed that some will go on over 1 week, resulting in the subsequent failure of the next scheduled weekly Full scan. I’m also working on the theory that while SCEP is occupied wasting its time on a Full scan, it’s not updating its definition files because I work the compliance issues on systems with DEF’s over 5 days and every single one of them is running a Full scan when I log in. The GUI isn’t helpful because it shows the session time as the start of the scan.
I haven’t dug too deeply into this, so there’s a chance I’m missing something obvious.
Edit: I could just do a process monitor, but I was hoping more for an event based monitor solution; still digging.
Hi as far as i know does SCEP write scan Logs under:
Log locations:
%allusersprofile%\Microsoft\Microsoft Antimalware\Support—Log files specific for the antimalware service
%allusersprofile%\Microsoft\Microsoft Security Client\Support—Log files specific for the SCEP client software
%windir%\WindowsUpdate.log—Windows Update log files, which include information about definition updates
%windir%\CCM\Logs\EndpointProtectionagent.log – Shows Endpoint version and policies applied
%windir%\temp\MpCmdRun.log – Activity when performing scans and signature updates
%windir%\temp\MpSigStub.log – Update progress for signature and Engine updates
For Monitoring these logs you can use the NICE Log Monitoring Management Pack.
Maybe you can find in one of these logs a start and end Marker.
Sorry for not updating this earlier, but what I’ve decided to go with was much simpler. I found the Event ID 1000 (Source: Microsoft Antimalware) in the System Event Log’s to indicate the start, 1001 to indicate the end. I built a simple Windows Event monitor to show a Warn when the scan starts, and then go Green when it stops. Then I can just check the health explorer and see the amount of time it took.
When I have more time, perhaps in a different lifetime, I plan on enhancing this to allow for a critical for event ID 1002, which indicates the scan was cancelled.
Thanks for the log info, I have the NICE PM, so I may spend some time looking into using it more.